Bug#693420: CVE-2012-5526: perl and libcgi-pm-perl: newline injection

Dominic Hargreaves dom at earth.li
Sun Nov 18 12:31:44 UTC 2012


On Sun, Nov 18, 2012 at 12:08:21PM +0200, Niko Tyni wrote:
> Testing with the new testcases in CGI.pm-3.62, CVE-2012-5526 (CGI.pm
> newline injection in Set-Cookie and P3P headers) affects all of squeeze,
> wheezy, and sid.
> 
> The attached patch should apply to the wheezy and sid versions; squeeze
> may need some backporting at least for the testcases, and the perl package
> needs filename modifications due to the different directory structure.
> 
> The sid and wheezy versions of libcgi-pm-perl have diverged, so
> I suppose this needs to go in wheezy via tpu.

As both bugs are important rather than RC, neither a t-p-u upload
for libcgi-pm-perl nor an upload for perl including this would
qualify for migration to testing under the tightened up freeze policy[1],
so CCing debian-release for opinions from their side.

Cheers,
Dominic.

[1] <http://release.debian.org/wheezy/freeze_policy.html>

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




More information about the Perl-maintainers mailing list